{"id":6099,"date":"2012-09-28T07:27:42","date_gmt":"2012-09-28T12:27:42","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=6099"},"modified":"2013-05-17T11:09:38","modified_gmt":"2013-05-17T16:09:38","slug":"ldap","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=6099","title":{"rendered":"LDAP Notes"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tOverview<\/a>\n\t\t
      \n\t\t\t
    1. \n\t\t\t\tFour Models (FINS)<\/a>\n\t\t\t<\/li>\n\t\t\t
    2. \n\t\t\t\tLDAP Advantages<\/a>\n\t\t\t<\/li>\n\t\t\t
    3. \n\t\t\t\tLDAP Disadvantages<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
    4. \n\t\tObject or Data Model<\/a>\n\t\t
        \n\t\t\t
      1. \n\t\t\t\tData Information Tree (DIT)<\/a>\n\t\t\t<\/li>\n\t\t\t
      2. \n\t\t\t\tSchema<\/a>\n\t\t\t<\/li>\n\t\t\t
      3. \n\t\t\t\tEntries<\/a>\n\t\t\t<\/li>\n\t\t\t
      4. \n\t\t\t\tObjectClass<\/a>\n\t\t\t<\/li>\n\t\t\t
      5. \n\t\t\t\tAttribute<\/a>\n\t\t\t<\/li>\n\t\t\t
      6. \n\t\t\t\tLDAP Referrals<\/a>\n\t\t\t<\/li>\n\t\t\t
      7. \n\t\t\t\tLDAP Replication<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
      8. \n\t\tMatching Rules<\/a>\n\t<\/li>\n\t
      9. \n\t\tOperational Attributes and Objects<\/a>\n\t<\/li>\n\t
      10. \n\t\tReferences<\/a>\n\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
         <\/div>\n

        Overview<\/h2><\/span>\n

        * LDAP defines a protocol<\/strong> for
        \n– accessing<\/em> directory data
        \n– representing<\/em> data in directory service
        \n– imp\/exp<\/em> data in directory service (ldif format)
        \n* LDAP does not<\/strong> define
        \n– how data is stored
        \n– how data is manipulated<\/p>\n

        Four Models (FINS)<\/h3><\/span>\n

        * Functional model: how to access LDAP
        \n* Information Model: how to represent information aka data (not how to store data)
        \n* Naming model: for example, dc=example,dc=com<\/em>
        \n* Security model:<\/p>\n

        \"\"<\/a><\/h6><\/span>\n

        LDAP Advantages<\/h3><\/span>\n

        * Write-once-read-many-times<\/em>
        \n* Standardized<\/em> method for local as well as remote ldap access
        \n– Data can be delegated to multiple locations
        \n* Can be configured to replicate data (like DNS)<\/p>\n

        LDAP Disadvantages<\/h3><\/span>\n

        * Updates are expensive (due to indexing)
        \n* Not for transaction activities (may contain data inconsistencies)<\/p>\n

        Object or Data Model<\/h2><\/span>\n

        Data Information Tree (DIT)<\/h3><\/span>\n

        * LDAP represents data as a hierarchy of objects, like a tree:
        \n– has a root<\/em>
        \n– has branches (entries<\/em>)
        \n– has leaves (objectClasses<\/em>)
        \n– each leave (i.e. objectClass) has cells (attributes<\/em>)
        \n– cell (i.e. attribute) is where data is stored<\/p>\n

        \"\"<\/a><\/h6><\/span>\n

        Schema<\/h3><\/span>\n

        * Convenient packaging unit for a group of objectClasses and attributes
        \n* Think of it as different type of trees such as oak tree, willow tree, fir tree, etc.<\/p>\n

        Entries<\/h3><\/span>\n

        * Must contain one, and only one, STRUCTURAL objectClass
        \n* May contain one ABSTRACT objectClass
        \n* May contain any number of AUXILIARY objectClasses
        \n* May have parent, and\/or child, and\/or sibling entries<\/p>\n

        \"\"<\/a><\/h6><\/span>\n

        ObjectClass<\/h3><\/span>\n

        * Used as a container for attributes
        \n* Has a OID
        \n* Has a name<\/em>
        \n* Is searchable
        \n* Defines if an attribute is optional<\/em> or mandatory<\/em>
        \n* Can be part of hierarchy:
        \n– the whole hierarchy must be of the same type, i.e. STRUCTURAL or AUXILIARY
        \n– inherits all<\/em> characteristics of its parent ObjectClasses<\/p>\n

        \r\nObjectClassDescription = \"(\" whsp\r\n  numericoid whsp      ; ObjectClass identifier\r\n  [ \"NAME\" qdescrs ]\r\n  [ \"DESC\" qdstring ]\r\n  [ \"OBSOLETE\" whsp ]\r\n  [ \"SUP\" oids ]       ; Superior ObjectClasses\r\n  [ ( \"ABSTRACT\" \/ \"STRUCTURAL\" \/ \"AUXILIARY\" ) whsp ]\r\n\t\t\t\t\t   ; default structural\r\n  [ \"MUST\" oids ]      ; AttributeTypes\r\n  [ \"MAY\" oids ]       ; AttributeTypes\r\nwhsp \")\"\r\n<\/pre>\n
        Attribute<\/h3><\/span>\n
        * Has a OID
        \n* Has a name<\/em>
        \n* Is searchable
        \n* May be part of hierarchy
        \n– inherits all<\/strong> properties of its parents<\/strong>
        \n* Can have aliases or abbreviations, e.g. cn<\/em> for commomName<\/em>
        \n* Usually contains data
        \n– has a data type
        \n– defaults to allow multiple values
        \n* Always associated with one or more<\/strong> ObjectClasses
        \n* Can be either optional or mandatory for associated ObjectClass
        \n* No primary key, one or more attributes are used to identity a unique entry. Like database combination keys and are called naming attributes<\/em> or relative distinguished name (RDN)<\/em> in LDAP.<\/p>\n
        \r\nAttributeTypeDescription = \"(\" whsp\r\n    numericoid whsp              ; AttributeType identifier\r\n  [ \"NAME\" qdescrs ]             ; name used in AttributeType\r\n  [ \"DESC\" qdstring ]            ; description\r\n  [ \"OBSOLETE\" whsp ]\r\n  [ \"SUP\" woid ]                 ; derived from this other\r\n\t\t\t\t ; AttributeType\r\n  [ \"EQUALITY\" woid              ; Matching Rule name\r\n  [ \"ORDERING\" woid              ; Matching Rule name\r\n  [ \"SUBSTR\" woid ]              ; Matching Rule name\r\n  [ \"SYNTAX\" whsp noidlen whsp ] ; see section 4.3\r\n  [ \"SINGLE-VALUE\" whsp ]        ; default multi-valued\r\n  [ \"COLLECTIVE\" whsp ]          ; default not collective\r\n  [ \"NO-USER-MODIFICATION\" whsp ]; default user modifiable\r\n  [ \"USAGE\" whsp AttributeUsage ]; default userApplications\r\n  whsp \")\"\r\n<\/pre>\n
        LDAP Referrals<\/h3><\/span>\n
        * Similar to DNS referrals in concept
        \n* No server auto referrals defined in standards
        \n– Some vendors, e.g. OpenLDAP, use chaining<\/em> for auto referrals
        \n* Referrals are returned to client instead<\/p>\n
        \"\"<\/a><\/h6><\/span>\n
        LDAP Replication<\/h3><\/span>\n
        * Built in replication to allow one or more copies of DIT<\/strong> (not whole LDAP) to be slaved from a single master
        \n* Takes time to replicate (potential data inconsistencies)
        \n* Master-Slave replication:
        \n– slaves are read only copies of the master
        \n– master server is single point of failure
        \n* Multi-Master replication:
        \n– Data contentions: value contention and delete convention
        \n* Example replication configurations:<\/p>\n
        \"\"<\/a><\/h6><\/span>\n
        Matching Rules<\/h2><\/span>\n
        * Part of LDAP operational
        \n* Typicall built-in to the LDAP server and defined in subschema
        \n* A matching rule is defined for each<\/strong> attribute using
        \n– EQUALITY
        \n– SUBST
        \n– ORDERING<\/p>\n
        Operational Attributes and Objects<\/h2><\/span>\n
        * Build in attributes and objectClasses
        \n* Governs how LDAP server functions
        \n* Live under rootDSE
        \n* Not visible during normal operations<\/p>\n
        \"\"<\/a><\/h6><\/span>\n
        * From ldapsearch:<\/p>\n
        \r\n# note the + returns operational attributes\r\nldapsearch -h localhost -p 1389 -x -s base -b \"\" +\r\n<\/pre>\n
        References<\/h2><\/span>\n
        * LDAP for Rocket Scientists<\/a>
        \n*         OpenLDAP Glossary<\/a>
        \n*         RFC 2252<\/a>: Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions<\/p>\n","protected":false},"excerpt":{"rendered":"
        Overview * LDAP defines a protocol for – accessing directory data – representing data in directory service – imp\/exp data in directory service (ldif format) * LDAP does not define – how data is stored – how data is manipulated … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[34],"tags":[566],"class_list":["post-6099","post","type-post","status-publish","format-standard","hentry","category-ldap","tag-ldap"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/s8cRUO-ldap","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/6099","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6099"}],"version-history":[{"count":9,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/6099\/revisions"}],"predecessor-version":[{"id":6105,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/6099\/revisions\/6105"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6099"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6099"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6099"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}